Privacy protection: The government is no help

Is hacking Congress the only way to make the point that data protection laws are woefully weak?

Does a day go by in which there are no stories about millions of confidential records stolen or lost?

Several sources indicate that the number of confidential client records stolen in the last few years is many tens of millions. Edentify, an identify theft prevention vendor, states that more than 32 million records from more than 70 vendors have been stolen in the first half of 2006 alone. They project over 78 million stolen U.S. identities by the end of the year.

The United States has a population of 298 million people, of which 85 percent are 19 or older. That works out to 235 million people with credit records and bank accounts to ruin. If Edentify's 78 million figure is even close to accurate, that means that 33 percent of America’s confidential information will be in the hands of thieves this year alone.

I’m sure some of you think Edentify’s figures are overstated and misleading, but they are calculated using publicly reported numbers; download a related identity theft chart created by Privacy Rights Clearinghouse, a nonprofit consumer organization, to see the data.

I'm inclined to believe them, myself, although I’m sure there is some data crossover -- I’ve been notified by three different vendors this year that my information has been stolen. But does anyone want to bet that the cross-reported figures would be more than offset by all the lost and stolen records that no one even knows about?

But, hey, cut the figure in half. Maybe only 32 million records will be stolen this year.

Is this a problem for anybody? Exactly what would it take for Congress to mandate real consumer protection? Because right now Congress is getting ready to sell consumers down the river.

As Gripe Line columnist Ed Foster recounted in his excellent report, there are several different data privacy acts under consideration in the House and Senate. I covered some of them last year; back when they were a jumbled and confusing set of proposals, none of which were written with the consumer in mind.

It’s gotten worse since then, and all of the bills under consideration now are even more bogus than before. Each seems to be personally written by the very businesses they are designed to regulate. Congress is becoming more ineffective, or worse, actively working to undermine current, stronger, state security laws.

If Washington cared about consumer security, it would pass a federal privacy law that protected every consumer and did not attempt to supersede stronger state laws. If Congress was concerned, any law passed to protect our computer security and privacy would:

* Mandate strong data protection for all confidential consumer data, whether held here or abroad (many U.S. corporations are storing consumer data overseas to avoid complying with the already existing weak U.S. laws);

* Mandate annual internal and external computer security reviews to ensure that consumer data is being protected;

* Mandate default encryption for all portable computers and media holding confidential consumer data;

* Mandate automatic, timely notification to the consumer when even one record is compromised. Forget numeric thresholds -- each and every consumer that gets their record violated is notified;

* Mandate government fines for violations, and prison for repeat offenders;

* Allow for consumers to sue if confidential data is not adequately safeguarded -- for instance, any lost or stolen plaintext data on portable media or computers is an immediate fault;

* Mandate that companies make the CEO or business leader accountable for these data protections, regardless of the size of the company. If the business holds even one consumer record, it must declare a responsible person;

* Mandate that any consumer can require any company to reveal what information they have on the consumer, and mandate that information must be accurate if the consumer contests it;

* Seed fund the entity that will be tasked with enforcing this new law, and allow it to self-fund (running on the funds collected from violators) thereafter. As any government entity likes to grow, this will ensure enforcement;

* Mandate that the entities tasked with upholding and enforcing the new law annually report to Congress on the number of violations and the penalties. This is to prevent a good security law from being passed but rarely enforced (e.g., HIPAA, SOX, and the hiring of illegal immigrants).

I wouldn't be happy with less, and you shouldn’t either.

Would these clauses be burdensome on business? I don’t care. It’s burdensome that they keep allowing my confidential records to be lost and stolen.

One-third of all adults in the U.S. will have their identity records stolen this year. McFly? Hello, McFly!?! What more could it take for Congress to enact real consumer data protections?

Here's one scenario: It would take a hacker stealing the identity information of the all lawmakers in Congress and then posting that information to the Internet. And we will follow the rules set forth by their own current proposals, which means we'll consider notifying the affected members only if we think the data could be used fraudulently and if there are more than 10,000 records involved. Oops, there aren't more than 10,000 members of Congress -- guess they won't be getting a notification.

I mean if Congress can play so loosely with our records, turnabout is only fair.